As a data security company, we review our newsfeed for interesting and notable stories involving information security. Among the topic we visit often is the cost of a data breach. We have seen many ways of calculating the financial losses of a data breach when a company is hacked, or if laptop encryption and mobile security software were not used on lost or stolen digital devices.

It's not uncommon to factor in postage, outside consultants, 24-hour toll-free lines, lost employee productivity, legal expenses, damaged reputation, and more. You can add a new element: minimum hourly wage.

Simple Arithmetic

According to databreaches.net, a family-run grocery store based in St. Louis, Schnuck Markets Inc., has calculated the potential fallout from a credit card and debit card hack at $80 million dollars: 500,000 people affected, minimum-wage at $7.25/hour, and an assumption that each person spent an average of 2 hours dealing the with the effects of the breach (calling up banks because of their credit cards and whatnot).

This actually comes out to "only" $7.25 million. However, take into consideration that "the Illinois Supreme Court has in the past approved a ratio of punitive to compensatory damages of about 11 to 1" (saukvalley.com) and you get a cool $79.75 million.

I'm not sure if that ratio is a maximum or an average of all compensatory damages or what, but all of this appears to have the objective of inflating that final figure.

Why? Because,

Schnucks sought to remove a case from Illinois’ St. Clair County Court to a federal civil court in the Southern District of Illinois. Such courts have jurisdiction when the potential class action includes residents of another state, the amount involved exceeds $5 million, and the class has more than 100 people. [saukvalley.com]

In other words, Schnucks needs some amount that is over $5 million; otherwise, the case remains in county court.

I don't know how it might be advantageous to have a trial in county court vs. federal court (more on this further below, actually), but it looks like Schnucks really wants a change in venue. (Otherwise, why quote $80 million when $7.25 million handily meets the legal requirement?)

Precedent Setting?

The problem, as databreaches.net noted, is that no American court has ever considered the time spent rectifying one's credit as a reason for winning a lawsuit. Indeed, such cases tend to be "summarily dismissed," which is legalese for "not even seeing its day in court because there isn't a case there at all."

Yet, it remains to be seen whether the courts do accept the above math as satisfying the threshold for the condition that the "amount involved exceeds $5 million." If the courts rule that it does, then... well, I don't have to be a lawyer to see that it could be a watershed moment. If this passes muster, then every single lawsuit involving a data breach would reference it; it would be a great setback to businesses and other organizations that have an enjoyed a great amount of protection from the courts.

An Expert Weighs In on Venue Change

According to a lawyer quoted in a computerworld.com article, Schnucks is playing a very delicate game. He also gives possible explanations on why the company is looking to have its case tried in federal court:

Schnucks may think it has a fair chance at the federal level because their courts "are generally better equipped and more experienced at handling large class-action data breach lawsuits."

Data breach lawsuits don't tend "to fare well in federal courts," something that I can attest to based on my 5+ years of covering such issues.

The downside, though:

Schnucks' effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it.

It's not the fact that such solutions are infallible. Rather, it's the fact that most states and courts tend to view the presence and use of such solutions as (1) a company that wasn't being neglectful when it comes to data security and (2) many laws and regulations provide safe harbor if they are used.

Plus, there's the undeniable fact that their use – for example, disk encryption on a laptop full of sensitive data – really does protect the data in the event something goes wrong.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.